diff --git a/cmd/hepa/main.go b/cmd/hepa/main.go
index 3d3f2d809..f7815cfc5 100644
--- a/cmd/hepa/main.go
+++ b/cmd/hepa/main.go
@@ -44,6 +44,12 @@ func run(args []string) error {
 			Value:   "https://plc.directory",
 			EnvVars: []string{"ATP_PLC_HOST"},
 		},
+		&cli.StringFlag{
+			Name:    "atp-mod-host",
+			Usage:   "method, hostname, and port of moderation service",
+			Value:   "https://api.bsky.app",
+			EnvVars: []string{"ATP_MOD_HOST"},
+		},
 	}
 
 	app.Commands = []*cli.Command{
@@ -69,6 +75,21 @@ var runCmd = &cli.Command{
 			Value:   100,
 			EnvVars: []string{"HEPA_PLC_RATE_LIMIT"},
 		},
+		&cli.StringFlag{
+			Name:    "mod-handle",
+			Usage:   "for mod service login",
+			EnvVars: []string{"HEPA_MOD_AUTH_HANDLE"},
+		},
+		&cli.StringFlag{
+			Name:    "mod-password",
+			Usage:   "for mod service login",
+			EnvVars: []string{"ATP_MOD_AUTH_PASSWORD"},
+		},
+		&cli.StringFlag{
+			Name:    "mod-admin-token",
+			Usage:   "admin authentication password for mod service",
+			EnvVars: []string{"ATP_MOD_AUTH_ADMIN_TOKEN"},
+		},
 	},
 	Action: func(cctx *cli.Context) error {
 		ctx := context.Background()
@@ -93,8 +114,12 @@ var runCmd = &cli.Command{
 		srv, err := NewServer(
 			&dir,
 			Config{
-				BGSHost: cctx.String("atp-bgs-host"),
-				Logger:  logger,
+				BGSHost:       cctx.String("atp-bgs-host"),
+				Logger:        logger,
+				ModHost:       cctx.String("atp-mod-host"),
+				ModAdminToken: cctx.String("mod-admin-token"),
+				ModUsername:   cctx.String("mod-handle"),
+				ModPassword:   cctx.String("mod-password"),
 			},
 		)
 		if err != nil {
diff --git a/cmd/hepa/server.go b/cmd/hepa/server.go
index 5abf6a30f..e693b232f 100644
--- a/cmd/hepa/server.go
+++ b/cmd/hepa/server.go
@@ -1,15 +1,19 @@
 package main
 
 import (
+	"context"
 	"fmt"
 	"log/slog"
 	"net/http"
 	"os"
 	"strings"
 
+	comatproto "github.com/bluesky-social/indigo/api/atproto"
 	"github.com/bluesky-social/indigo/atproto/identity"
 	"github.com/bluesky-social/indigo/automod"
 	"github.com/bluesky-social/indigo/automod/rules"
+	"github.com/bluesky-social/indigo/util"
+	"github.com/bluesky-social/indigo/xrpc"
 
 	"github.com/prometheus/client_golang/prometheus/promhttp"
 )
@@ -21,8 +25,12 @@ type Server struct {
 }
 
 type Config struct {
-	BGSHost string
-	Logger  *slog.Logger
+	BGSHost       string
+	ModHost       string
+	ModAdminToken string
+	ModUsername   string
+	ModPassword   string
+	Logger        *slog.Logger
 }
 
 func NewServer(dir identity.Directory, config Config) (*Server, error) {
@@ -38,13 +46,35 @@ func NewServer(dir identity.Directory, config Config) (*Server, error) {
 		return nil, fmt.Errorf("specified bgs host must include 'ws://' or 'wss://'")
 	}
 
+	// TODO: this isn't a very robust way to handle a peristent client
+	var xrpcc *xrpc.Client
+	if config.ModAdminToken != "" {
+		xrpcc = &xrpc.Client{
+			Client:     util.RobustHTTPClient(),
+			Host:       config.ModHost,
+			AdminToken: &config.ModAdminToken,
+		}
+
+		auth, err := comatproto.ServerCreateSession(context.TODO(), xrpcc, &comatproto.ServerCreateSession_Input{
+			Identifier: config.ModUsername,
+			Password:   config.ModPassword,
+		})
+		if err != nil {
+			return nil, err
+		}
+		xrpcc.Auth.AccessJwt = auth.AccessJwt
+		xrpcc.Auth.RefreshJwt = auth.RefreshJwt
+		xrpcc.Auth.Did = auth.Did
+		xrpcc.Auth.Handle = auth.Handle
+	}
+
 	engine := automod.Engine{
 		Logger:      logger,
 		Directory:   dir,
 		Counters:    automod.NewMemCountStore(),
 		Sets:        automod.NewMemSetStore(),
 		Rules:       rules.DefaultRules(),
-		AdminClient: nil, // TODO: AppView with mod access, via config
+		AdminClient: xrpcc,
 	}
 
 	s := &Server{